svihla@evax0.eng.fsu.edu (C. Kurt Svihla) (11/28/90)
This is not the best place to post this query but I was unable to post to the somewhat more logical COMP.VIRUS. Our department recently discovered the STONED virus on six of our computers. We were able to detect it and remove it with no apparent damage to our system. Is STONED usually this benign or were we just lucky? As I understand it, STONED can only propagate from a floppy to a hard drive if a boot is initiated while an infected floppy is in the A: drive. Is STONED unable to propagate in this manner from a B: drive? How about from a Zenith PC, which are usually set to default boot from the hard drive - will STONED only propagate if you initiate a floppy boot via the Monitor program with a defective floppy in the A:drive? Lastly, we found STONED on many of our floppy disks - how does STONED transfer from the hard disk to a floppy? Does this only occur when you format a floppy disk on an infected machine? Does the presence of the STONED virus on a floppy disk imperil the information stored on it in any way, or does the floppy just act as a vector for the STONED virus? Thanks in advance for any responses. ______________________________________________________________________ C. Kurt Svihla | | SVIHLA@EVAX.ENG.FSU | SPACE AVAILABLE | ____________________|_________________________________________________|
smsmith@hpuxa.ircc.ohio-state.edu (Stephen M. Smith) (11/28/90)
In article <1990Nov27.141833.18847@mailer.cc.fsu.edu> svihla@evax0.eng.fsu.edu writes: > > Our department recently discovered the >STONED virus on six of our computers. We were able to detect it and remove >it with no apparent damage to our system. Is STONED usually this benign or >were we just lucky? As I understand it, STONED can only propagate from a >floppy to a hard drive if a boot is initiated while an infected floppy is in >the A: drive. Is STONED unable to propagate in this manner from a B: drive? >How about from a Zenith PC, which are usually set to default boot from the >hard drive - will STONED only propagate if you initiate a floppy boot via the >Monitor program with a defective floppy in the A:drive? Lastly, we found >STONED on many of our floppy disks - how does STONED transfer from the hard >disk to a floppy? Does this only occur when you format a floppy disk on an >infected machine? Does the presence of the STONED virus on a floppy disk >imperil the information stored on it in any way, or does the floppy just act >as a vector for the STONED virus? Thanks in advance for any responses. Ah, yesssssss....the STONED virus. About 6 months ago I learned all about the STONED virus the hard way!!! The whole ordeal also was my first real hacking experience... This is what the STONED virus does according to my observations: It takes the info from the boot sector of a floppy disk (sector number one), transfers it in whole to sector number eleven, then overwrites sector one with near identical data but with a nice message saying "YOUR PC HAS JUST BEEN STONED. LEGALIZE MARIJUANA!" (or something like that). That's how it got its name--the "STONED" virus. It *is* a very benign virus and it is easy to remove if you have the right utilities. I'll explain that below. The STONED virus is really sneaky. If a computer has been affected, all you have to do to get it on your floppy is to place it in the drive and do a simple "dir" on the floppy, and....voila!! Instant virus on your floppy! No warning, no write command, no copy command-- just a simple read command will do it. It even suppresses the "disk is write-protected" message if it can't write on your disk. Swift, clean, and insidious... It infected about 10 of my disks. (I think I'll cross-post this to alt.folklore.computers for the following hilarious story...) There I was trying to get a new word processor to work in a particular video setting. I had about a dozen new disks I was using--the real expensive Verbatim teflon-coated preformatted factory fresh kind. I had spent several days on this computer (in a computer lab) and had *just* finished arranging all the files exactly the way I wanted them when I noticed that one of the file's names had been changed. The new name isn't printable here because it included a bunch of non-ASCII characters. So of course I couldn't simply "ren" the file because I couldn't enter those characters, and that also meant I couldn't delete it. And then in trying to get this solved another file or two did the same thing. "Stupid machine; the floppy must be making mistakes on me," I thought. So I formatted the disk, recopied files for the millionth time, and it went away. Temporarily... Fortunately I had a virus scanning program with me. After an hour or so of frustration I decided I might as well run the scan (not expecting anything to happen of course). Lo and behold, the scan came up with a virus on my diskette. "Where did I get this?" I checked another disk..."Wow, there it is again." About 6 or 7 disks later I realized it was on every disk I was putting in the machine. Not only that, but when I formatted a disk that was infected it *still* came up with the virus on it. "Ah hah! I'll do a virus scan on an *uninfected* disk.... "What?!!! On this disk too!!! And it was straight out of the box-- preformatted at that! THERE'S A VIRUS AT VERBATIM--I BETTER CALL THEM QUICK! Boy, I can't imagine how many tens of thousands of virus-infected disks they must be shipping out!" So I rushed to the phone and dialed their 1-800 number and... they were closed. It was Friday night and they wouldn't be open again till Monday. Lucky for me, too! Well, I don't know what finally clued me in to the situation here. I found out that if I put a *write-protected* new disk in the drive and did a scan it came up clean, but if it was not write- protected it was infected. Conclusion: The computer was writing the virus on every disk that I scanned for the virus. As I said above: Insidious. I now realize that the reason the file names were getting screwed up was that by writing over sector 11 the virus was messing around with the FAT (File Allocation Table). How to got rid of it: Put in an uninfected disk with a write-protection on it. Use a sector reading/writing utility and copy sector 11 into memory then remove the disk. Put in infected unprotected disk and write the info from memory onto the infected disk's sector 11. Repeat the process with sector 1. This is all from memory, so I hope that sector 11 is correct. Just look at it and see if the boot info has been placed there. In order to clear it off the hard disk you will need a virus remover. Simply deleting all the files and recopying them back may not work because they tried that on my computer and it was still there, though I think the reason for that is they booted from the hard drive rather than the floppy before they erased the disk and did the recopying. Good luck. S. "Stevie" Smith \ + / <smsmith@hpuxa. \+++++/ " #*&<-[89s]*(k#$@-_=//a2$]'+=.(2_&*%>,,@ ircc.ohio-state. \ + / {7%*@,..":27g)-=,#*:.#,/6&1*.4-,l@#9:-) " edu> \ + / BTW, WYSInaWYG \ + / --witty.saying.ARC
marshall@wind55.seri.gov (Marshall L. Buhl) (11/28/90)
smsmith@hpuxa.ircc.ohio-state.edu (Stephen M. Smith) writes: [Story about an experience with "Stoned" deleted] >In order to clear it off the hard disk you will need a virus >remover. Simply deleting all the files and recopying them back >may not work because they tried that on my computer and it was >still there, though I think the reason for that is they booted >from the hard drive rather than the floppy before they erased >the disk and did the recopying. I got hit a couple of months ago. You can recover a hard disk without software, but it's a pain. I had two infected disks. One was a 150MB drive with about 100MB of data on it. The other was a 300MB drive with 280MB of data on it. I backed up all the files on the small system to tape. Did a "low-level" format of the drive, ran FDISK, then reFORMATted the drive for DOS. I then restored the tapes. This took forever. Being paranoid (well not really - people really were after me :-), I make two backups and verified both. I also verified the restore. This took me most of a very frustrating day. When I realized how long it would take to repair the big disk, I got really depressed. I called some associates who are in the computer security business and they recommended I contact Digital Dispatch about their VirHunt package. I called them up (800-221-8091) and they said their program could remove the virus. I quickly filled out a PR, got signatures and begged my purchasing agent to call them up with a PO number. A few minutes later, I called them up. They gave me the number of their PC and I dialed in and we used Crosstalk to get the program into my PC. Fifteen minutes later, I had removed the virus from the big system. This happened within about an hour of even hearing that DDI even existed. Talk about mood swings. I went from the deepest depression to the highest high I've ever experienced. This made manic depression look like childs play. I was literally bouncing up and down with tears running down my face. I'll be forever in debt to DDI for them saving my ass. I'll probably fondly remember them on my deathbed. Anyway, I highly recommend the product ($50). I had a copy of McAfee's SCAN program that someone sent me to try out. When I suspected a problem, I tried SCAN and it found the virus, but wouldn't do anything to remove it. I like VirHunt much better. I've gotten rid of SCAN - it just doesn't compete. No computer support jock should live without it. Sermon mode on... OK folks. Whoever you are that created this cute little virus. You think it's "harmless." Well sure, it didn't destroy any data. But it did cost me more than two day's work. One wasted repairing the first hard disk and another checking every disk we have. Do you have any idea how long it takes (and how incredibly boring it is) to check dozens of hard disks and thousands of floppies? Talk about tedium. All I can say is you better not brag about writing a virus within earshot of me. You won't last the night. Sermon mode off. It turns out one of my users had been computing around with his home PC and brought the infection into work. Damn slut! It then spread to my secretary's disk where I found it. She had been having problems for a while and the symptoms reminded me of the Disk Killer virus (a really nasty one I hear). I was actually looking for Disk Killer when I found Stoned. Turns out she was having problems with conflicts between Crosstalk XVI and DOS 4.01. We really lucked out finding Stoned this way. A few days later and the infection could have spread throughout the institute. Instead of having to check a few dozen PCs, it would have been hundreds of hard disks and tens of thousands of floppies. Whew! To the original poster: I think having a PC that won't boot off of drive A: would help protect you from this virus. Many people leave a floppy in the drive when they turn their PC off at night and turn it on in the morning. I also may boot a PC many times when setting one up. I don't always remember to unlatch the floppy. That's how you get it. When you boot off an infected floppy, it leaves a little TSR in memory. That TSR looks for floppy accesses and infects floppies when they are not write protected. Every time you boot from an infected hard disk or floppy, the TSR gets loaded and is ready for action. Even if your infected floppy isn't bootable, it will infect your system when it tries to boot off it. You will get the non-system disk message when you do this as you would from a normal data disk. Personally, I feel that a PC should boot from a floppy only when you tell it to do so. It should not be the default. Maybe you BIOS manufacturers (if that's who's responsible) can take a hint. Give us a break guys. -- Marshall L. Buhl, Jr. EMAIL: marshall@seri.gov Senior Computer Missionary VOICE: (303)231-1014 Wind Research Branch 1617 Cole Blvd., Golden, CO 80401-3393 Solar Energy Research Institute Solar - safe energy for a healthy future
dkrause@orion.oac.uci.edu (Doug Krause) (11/28/90)
In article <marshall.659749059@wind55> marshall@wind55.seri.gov (Marshall L. Buhl) writes:
#Anyway, I highly recommend the product ($50). I had a copy of McAfee's
#SCAN program that someone sent me to try out. When I suspected a
#problem, I tried SCAN and it found the virus, but wouldn't do anything
#to remove it. I like VirHunt much better. I've gotten rid of SCAN - it
#just doesn't compete.
You also need to get CLEANUP when you get SCAN. It works quite well on
Stoned. (BTW, I lost data due to cross-linked files that I couldn't
reassemble correctly.)
Douglas Krause One yuppie can ruin your whole day.
----------------------------------------------------------------------
University of California, Irvine Internet: dkrause@orion.oac.uci.edu
Welcome to Irvine, Yuppieland USA BITNET: DJKrause@ucivmsabrian@mermaid.micro.umn.edu (Brian) (11/29/90)
dkrause@orion.oac.uci.edu (Doug Krause) writes: >In article <...> marshall@wind55.seri.gov (Marshall L. Buhl) writes: >You also need to get CLEANUP when you get SCAN. It works quite well on >Stoned. (BTW, I lost data due to cross-linked files that I couldn't >reassemble correctly.) Also try F-PROT (available on anonymous ftp all over, slowly from it's home town of uwasa.fi) which I believe works better on Stoned than CLEANUP, and includes all sorts of scanning/disinfecting/protecting utilities for much less money than the suite of McAfee utilities. McAfee updates more often and is easier to get started with, but F-PROT is updated fairly often and is easier to use after it's set up. BTW I'm a registered SCAN user, I'll probably register F-PROT someday, but I don't really use my clone for much beyond being a terminal anymore. If anyone suspects a virus on their machine, or wants to know more about viruses read comp.virus for a while, and use SCAN or F-PROT (MS-DOS) to check for viruses. You can ftp to mibsrv (130.160.20.80) and look in pub/ibm-antivirus. Followup set to comp.sys.ibm.pc.misc, BTW. -- Brian "When I have a headache, NO ONE gets laid!"
hv@uwasa.fi (Harri Valkama LAKE) (11/29/90)
In article <1990Nov28.191327.2680@cs.umn.edu> brian@mermaid.micro.umn.edu (Brian) writes: >dkrause@orion.oac.uci.edu (Doug Krause) writes: >>In article <...> marshall@wind55.seri.gov (Marshall L. Buhl) writes: > >Also try F-PROT (available on anonymous ftp all over, slowly from it's home >town of uwasa.fi) which I believe works better on Stoned than CLEANUP, and Sorry. This is wrong. F-PROT is not made in Vaasa, Finland. We just got it first ;-) -- == Harri Valkama, University of Vaasa, Finland ================================ P.O. Box 700, 65101 VAASA, Finland (tel:+358 61 248426 fax:+358 61 248465) hv@uwasa.fi hv@nic.funet.fi hkv@flame.uwasa.fi harri.valkama@wmac00.uwasa.fi Moderating at chyde.uwasa.fi (128.214.12.3) & nic.funet.fi (128.214.6.100)
brian@mermaid.micro.umn.edu (Brian) (11/30/90)
Oh, by the way, my .signature is a quote by,,, well, here is the corrected version with attribution: -- Brian "When I have a headache, NO ONE gets laid!" - hin9@midway.uchicago.edu (T. Rev)
garlange@mentor.cc.purdue.edu (Mark Garlanger) (12/05/90)
>Personally, I feel that a PC should boot from a floppy only when you >tell it to do so. It should not be the default. Maybe you BIOS >manufacturers (if that's who's responsible) can take a hint. Give us a >break guys. Buy a Zenith, that is how they do it. Mark
goyal@ccu.umanitoba.ca (12/22/90)
thanks to all those who responded to my request regarding help with Stoned virus i got my hands on a pre-release copy of Norton Anti Virus (dated dec 6 1990!) that worked beautifully to fix the problem. The utility can also be installed as a TSR so that it intercepts any virus being loaded in the RAM. The only drawback is that (i) it is copy protected, and (ii) it requires about 25k RAM. No idea about the price however since it will be released next year sameer goyal goyal@ccu.umanitoba.ca
sethcohn@alchemy.tcnet.ithaca.ny.us (seth cohn) (03/28/91)
Virex will find the Stoned virus, but won't fix it what will? please email me (i don't normally read this group) thanx, Seth Seth Cohn, Service Tech. 607-273-2815 voice 607-272-7002 BBS All things posted are opinions by me, of me, for me, or to me. And another thing..........I'm not sure you're real.
jdwhite@iastate.edu (White Jason David) (03/29/91)
In article <yo8iZ1w162w@alchemy.tcnet.ithaca.ny.us> sethcohn@alchemy.tcnet.ithaca.ny.us (seth cohn) writes: >Virex will find the Stoned virus, but won't fix it >what will? please email me (i don't normally read this group) > >thanx, >Seth > >Seth Cohn, Service Tech. 607-273-2815 voice 607-272-7002 BBS >All things posted are opinions by me, of me, for me, or to me. >And another thing..........I'm not sure you're real. Here at Iowa State University, we get the stoned virus all the time on our PCs. You could reformat the hard disk to get rid of it, but I prefer to use CLEAN from McAfree Associates. It's available via anonymous FTP from wuarchive.wustl.edu and other places, I'm sure.